【May 3, 2024, Epoch Times News】The Consumer Council’s computer system was hacked and extorted in September last year. The Privacy Commissioner for Personal Data released the investigation results on May 2, indicating that the incident resulted in over 450 individuals’ personal information being unlawfully accessed. The main cause of the breach was the Consumer Council’s failure to enable multifactor authentication and the failure to cancel remote network connections after the work-from-home arrangement ended, leading to the inability to verify the identities of those accessing remote data, in violation of the Privacy Ordinance. Privacy Commissioner Elizabeth Chung stated that a compliance notice had been issued to the Consumer Council to rectify the situation to prevent similar breaches from occurring again.
The investigation by the Commissioner’s Office revealed that the compromised personal data included 289 complainants, 26 employees of IT service providers, 138 current employees, and 24 former employees of the Consumer Council, involving information such as names, phone numbers, and addresses. It was also discovered that the hacker group obtained credentials with administrative privileges, accessed the Consumer Council’s network through a Virtual Private Network (VPN), and launched ransomware attacks on the Council’s servers and endpoint devices on September 19 and 20 last year, resulting in 93 systems being maliciously encrypted and 11 servers and endpoint devices infiltrated, including staff desks and company cell phones.
Chung mentioned that during the COVID-19 pandemic at the end of 2020, the Consumer Council implemented a work-from-home arrangement allowing employees to connect to the organization’s network remotely via VPN. At that time, due to some employees’ resistance to installing additional multifactor authentication software and understaffing in the IT department, the Council did not enable multifactor authentication for users accessing the network remotely. Although the work-from-home arrangement was discontinued in May 2022, employees were still allowed to connect to the network remotely without the need for multifactor authentication.
The Commissioner’s Office pointed out that the Consumer Council’s failure to enable multifactor authentication led to the inability to verify the identities of those accessing data remotely. Other deficiencies included the inadequate configuration of software for detecting and intercepting network security threats, insufficient security measures to prevent or prohibit the storage of personal data on test servers, the lack of comprehensive and specific information security policies, and insufficient awareness of safeguarding personal data privacy and network security, such as an employee not implementing the institution’s complex password policy. Chung stated that the Office required the Consumer Council to complete seven directives, including hiring an independent information security expert to review security measures and establishing clear and comprehensive procedures to prevent employees from storing data in test servers.
When asked about the existence of the leaked data on the dark web, she mentioned that the online world is unpredictable, and it is unknown when hackers will expose the data, likening it to being “lost in the sea.” Chung strongly advised organizations not to pay ransom in case of data breaches, as it cannot prevent the data from being further disclosed by third parties, and should not condone hackers’ illegal activities.
The Consumer Council responded by stating that the overall impact on personal data was very limited in the incident. According to data from an external dark web monitoring service, no affected data has been found to be publicly exposed. They also mentioned that they and the experts have yet to determine the reason the hackers obtained account credentials.
The Council emphasized that it takes seriously the shortcomings and specific recommendations pointed out by the Commissioner’s Office and has actively taken corrective actions afterward. They are currently improving their IT policies and guidelines, enhancing information system security, and data security, adopting up-to-date security technologies and solutions. They once again strongly condemned the unauthorized access by hackers into their computer systems and viewing of data, expressing deep apologies to those affected.
The Honorary Chairman of the Hong Kong Information Technology Chamber, Andrew Fong, stated that monitoring the dark web post-incident to check for any potential data leaks is a responsible practice. He advised companies that if they no longer implement work-from-home arrangements post-pandemic, they should close relevant network interfaces. Additionally, requiring employees to use multifactor authentication for remote work and regularly updating network devices can help minimize the risk of attacks.